Transcription
Popa and WagnerComputer Science 161 Spring 2020Lecture 3:Buffer Overflowshttps://cs161.org1
12
13
14
#293 HRE-THR 850 1930ALICE SMITHCOACHSPECIAL INSTRUX: NONE15
16
#293 HRE-THR 850 1930ALICE SMITHHHHHHHHHHHHHACHSPECIAL INSTRUX: NONEHow could Alice exploit this?Find a partner and talk it through.17
18
#293 HRE-THR 850 1930ALICE SMITHFIRSTSPECIAL INSTRUX: NONE19
char name[20];void vulnerable() {.gets(name);.}20
char name[20];char instrux[80] "none";void vulnerable() {.gets(name);.}21
char name[20];int seatinfirstclass 0;void vulnerable() {.gets(name);.}22
char name[20];int authenticated 0;void vulnerable() {.gets(name);.}23
char line[512];char command[] "/usr/bin/finger";void main() {.gets(line);.execv(command, .);}24
char name[20];int (*fnptr)();void vulnerable() {.gets(name);.}25
26
void vulnerable() {char buf[64];.gets(buf);.}27
void still vulnerable?() {char *buf malloc(64);.gets(buf);.}28
29
Disclaimer: x86-32Computer Science 161 Spring 2020Popa and Wagner For this class, we are going to use 32-bit x86 Almost everyone in this class has access to an x86 system:Mac, Linux, Windows. But these attacks do apply to other microarchitectures30
Linux (32-bit) process memory layoutPopa and WagnerComputer Science 161 Spring 2020-0xFFFFFFFFReserved for Kerneluser stack-0xC0000000 espshared libraries-0x40000000brkrun time heapstatic data segmentLoaded from exectext segment (program)unused-0x08048000-0x0000000031
The main x86 registers Computer Science 161 Spring 2020Popa and Wagner EAX-EDX: General purpose registers EBP: “Frame pointer”: points to the start of the current callframe on the stack ESP: “Stack pointer”: points to the current stack PUSH: Decrement the stack pointer and store something therePOP: Load something and increment the stack pointer32
x86 function callingComputer Science 161 Spring 2020Popa and Wagner Place the arguments on the stack CALL the function Which pushes the return address onto the stack (RIP Return Instruction Pointer) Function saves old EBP on the stack (SFP Saved Frame Pointer) Function does its stuff Function restores everything Reload EBP, pop ESP as necessary RET Which jumps to the return address that is currently pointed to by ESPAnd can optionally pop the stack a lot further 33
Popa and WagnerComputer Science 161 Spring 2020Buffer Overflows3
-0xC0000000To previous savedframe pointeruser stackargumentsreturn addresssaved frame pointershared librariesexception handlers-0x40000000run time heaplocal variablesTo the point at whichthis function was calledcallee saved registersstatic datasegmenttext segment(program)unused-0x08048000-0x000000004
void safe() {char buf[64];.fgets(buf, 64, stdin);.}5
void safer() {char buf[64];.fgets(buf, sizeof(buf), stdin);.}6
Assume these are both underthe control of an attacker.void vulnerable(int len, char *data) {char buf[64];if (len 64)return;memcpy(buf, data, len);}memcpy(void *s1, const void *s2, size t n);size t is unsigned:What happens if len -1?7
void safe(size t len, char *data) {char buf[64];if (len 64)return;memcpy(buf, data, len);}8
void f(size t len, char *data) {char *buf malloc(len 2);if (buf NULL) return;memcpy(buf, data, len);buf[len] '\n';buf[len 1] '\0';}Is it safe? Talk to your partner.Vulnerable!If len 0xffffffff, allocates only 1 byte9
10
Popa and WagnerComputer Science 161 Spring 2020Memory Safety11
void vulnerable() {char buf[64];if (fgets(buf, 64, stdin) NULL)return;printf(buf);}12
printf("you scored %d\n", score);13
sfpp r i n t f (“ y o u s c o r e d %d\ n ”, s c o r e ) 46414
printf("a %s costs %d\n", item, price);15
sfpp r i n t f (" a %s c o s t s %d\ n ", i t e m , p r i c e ) ;priceitem0x8048464ripsfpprintf()\0\n sos%d%stca0x804846416
Fun With printf format strings.Popa and WagnerComputer Science 161 Spring 2020Format argument is missing!printf("100% dude!");17
sfpp r i n t f (“100% dude !”) ;?0x8048464ripsfpprintf()\0!dud%00e10x804846418
More Fun With printf format strings.Popa and WagnerComputer Science 161 Spring 2020printf("100% dude!"); prints value 4 bytes above retaddr as integerprintf("100% sir!"); prints bytes pointed to by that stack entryup through first NULprintf("%d %d %d %d ."); prints series of stack entries as integersprintf("%d %s"); prints value 8 bytes above retaddr plus bytespointed to by preceding stack entryprintf("100% nuke’m!");What does the %n format do?19
%n writes the number of characters printed so farinto the corresponding format argument.int report cost(int item num, int price) {int colon offset;printf("item %d:%n %d\n", item num,&colon offset, price);return colon offset;}report cost(3, 22) prints "item 3: 22"and returns the value 7report cost(987, 5) prints "item 987: 5"and returns the value 920
Fun With printf format strings.Popa and WagnerComputer Science 161 Spring 2020printf("100% dude!"); prints value 4 bytes above retaddr as integerprintf("100% sir!"); prints bytes pointed to by that stack entryup through first NULprintf("%d %d %d %d ."); prints series of stack entries as integersprintf("%d %s"); prints value 8 bytes above retaddr plus bytespointed to by preceding stack entryprintf("100% nuke’m!"); writes the value 3 to the address pointed to by stack entry21
void safe() {char buf[64];if (fgets(buf, 64, stdin) NULL)return;printf("%s", buf);}22
It isn't just the stack.Computer Science 161 Spring 2020Popa and Wagner Control flow attacks require that the attacker overwrite apiece of memory that contains a pointer for future codeexecution The return address on the stack is just the easiest target You can cause plenty of mayhem overwriting memory in theheap. And it is made easier when targeting C Allows alternate ways to hijack control flow of the program23
Compiler Operation:Compiling Object Oriented CodePopa and WagnerComputer Science 161 Spring 2020class Fooint i,publicpublic.{j, k;virtual void bar(){ . }virtual void baz(){ . }vtable ptr (class Foo)ijkptr to Foo::barptr to Foo::baz.24
A Few Exploit TechniquesComputer Science 161 Spring 2020Popa and Wagner If you can overwrite a vtable pointer It is effectively the same as overwriting the return address pointer on the stack:When the function gets invoked the control flow is hijacked to point to the attacker’s code The only difference is that instead of overwriting with a pointer you overwrite it with a pointer to atable of pointers. Heap Overflow: A buffer in the heap is not checked:Attacker writes beyond and overwrites the vtable pointer of the next object in memory Use-after-free: An object is deallocated too early:Attacker writes new data in a newly reallocated block that overwrites the vtable pointerObject is then invoked25
Magic Numbers & Exploitation Computer Science 161 Spring 2020Popa and Wagner Exploits can often be very brittle You see this on your Project 1: Your ./egg will not work on someone else’sVM because the memory layout is different Making an exploit robust is an art unto itself EXTRABACON is an NSA exploit for Cisco ASA “Adaptive SecurityAppliances”It had an exploitable stack-overflow vulnerability in the SNMP read operationBut actual exploitation required two steps:Query for the particular version (with an SMTP read)Select the proper set of magic numbers for that version26
A hack that helps:NOOP sled.Computer Science 161 Spring 2020Popa and Wagner Don't just overwrite the pointer and then provide the codeyou want to execute. Instead, write a large number of NOOP operations Instructions that do nothing Now if you are a little off, it doesn't matter Since if you are close enough, control flow will land in the sled and startrunning.27
ETERNALBLUEComputer Science 161 Spring 2020Popa and Wagner ETERNALBLUE is another NSA exploit Stolen by the same group ("ShadowBrokers") which stole EXTRABACONRemote exploit for Windows through SMBv1 (Windows File sharing) Eventually it was very robust. But initially it was jokingly called ETERNALBLUESCREEN, because it wouldcrash Windows computers more reliably than exploitation.28
Memory SafetyComputer Science 161 Spring 2020Popa and Wagner Memory Safety: No accesses to undefined memory "Undefined" is with respect to the semantics of the programming languageRead Access: attacker can read memory that he isn't supposed toWrite Access: attacker can write memory that she isn't supposed toExecute Access: transfer control flow to memory they aren’t supposed to Spatial safety: No access out of bounds Temporal safety: No access before or after lifetime of object29
30
Computer Science 161 Spring 2020 Popa and Wagner x86 function calling Place the arguments on the stack CALL the function Which pushes the return address onto the stack (RIP Return Instruction Pointer) Function saves old EBP on the stack (SFP Saved Frame Pointer)